Unauthorized Course Enrollment in Tutor LMS Plugin for WordPress
CVE-2025-13934

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: Tutor Lms – Elearning And Online Course Solution
Vendor: CVE Published:; 9 January 2026

What is CVE-2025-13934?

The Tutor LMS plugin, used for eLearning and online course solutions on WordPress, is susceptible to a vulnerability that enables unauthorized course enrollment. All versions up to and including 3.9.3 are affected due to a lack of capability verification and purchasability validation within the course_enrollment() AJAX handler. This flaw permits authenticated users with subscriber-level access and higher to enroll themselves in any course without completing the necessary purchase process, thereby potentially compromising the intended access controls and revenue model of the courses.

Affected Version(s)

Tutor LMS – eLearning and online course solution * <= 3.9.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3422766/tuto...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 9, 2026
Vulnerability Reserved
Dec 2, 2025

Credit

Supakiad S.

JSON